ci: add release workflow (Docker + GitHub Release)#65
Merged
Conversation
- Add .github/workflows/release.yml triggered only on v* tags - Docker job: build amd64 image and push to GHCR (ghcr.io) - Release job: create GitHub Release with auto release notes - Update docker-compose.yml to use prebuilt GHCR image
There was a problem hiding this comment.
Pull request overview
This PR introduces an automated release pipeline that publishes a Docker image to GHCR and creates a GitHub Release when a v* tag is pushed, and updates the Compose setup to run from a prebuilt image rather than building locally.
Changes:
- Add a tag-triggered GitHub Actions workflow to build/push a Docker image to GHCR.
- Add automated GitHub Release creation with optional
RELEASE_NOTES_<version>.mdbody support. - Update
docker-compose.ymlto pullghcr.io/...:latestinstead of building from the local Dockerfile.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
docker-compose.yml |
Switch service from local build to pulling a prebuilt GHCR image. |
.github/workflows/release.yml |
New workflow to publish Docker images and create GitHub Releases on v* tag pushes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+67
to
+72
| release: | ||
| name: GitHub Release | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
|
|
There was a problem hiding this comment.
The release job runs independently of the Docker publish job, so a GitHub Release could be created even if the image build/push fails. To make the release process atomic and match the PR intent (“自动完成两件事”), set the release job to depend on the docker job (e.g., via a needs: docker).
| build: | ||
| context: . | ||
| dockerfile: Dockerfile | ||
| image: ghcr.io/dwgx/windsurf-api:latest |
There was a problem hiding this comment.
Hard-coding ghcr.io/dwgx/windsurf-api:latest reduces portability (e.g., repo transfer/rename, self-hosted mirrors) and :latest is not reproducible for deployments. Consider using an overridable image reference via env substitution (with a sensible default) and/or pinning to a version tag in example configs.
Suggested change
| image: ghcr.io/dwgx/windsurf-api:latest | |
| image: ${WINDSURF_API_IMAGE:-ghcr.io/dwgx/windsurf-api:1.0.0} |
Prevent pre-release tags (e.g. v2.0.7-rc.1) from overwriting :latest tag
Owner
|
辛苦 @abwuge,模板写得清爽,发版流程也细致到 prerelease 自动判定,这块照单收。 只有一个小细节想跟你对一下,是 镜像落到了
- name: Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
- images: ghcr.io/${{ github.repository }}
+ images: ghcr.io/${{ github.repository_owner }}/windsurf-api另外想顺手把 这两处我接着 merge 你这个 PR 之后直接在 master 顺手补一下,你不用再反工,全部功劳都还是你的。再次感谢 ✨ |
dwgx
added a commit
that referenced
this pull request
Apr 25, 2026
…tion
- workflow 推到 `ghcr.io/dwgx/windsurf-api`(之前 `${{ github.repository }}` lowercase
后是 `windsurfapi` 没有横杠,跟 docker-compose 期望的 `windsurf-api` 不匹配,
merge 后会直接 image-not-found)
- docker-compose 把 `build:` 块加回去,跟 `image:` 并排:拉镜像的用户照常拉,
本地开发改代码迭代用 `docker compose up --build` 自构建,两边都不丢
follow-up to #65 / @abwuge
Owner
|
哎呀我去 docker出了一堆问题 不过还是谢谢你的贡献 |
Contributor
Author
是吗,我本地和我的fork都测试过了来着。。。 不过我本地测了好几种方案,这个pr是最后rebase过来的,可能是这里的问题 |
dwgx
added a commit
that referenced
this pull request
Apr 27, 2026
把之前关掉但没合的几个外部 PR 里方向干净的 hunk 单独 cherry-pick 进 主线,作者署名通过 Co-authored-by trailer 保留;顺带把 v2.0.11 之后 陆续落主线的 Anthropic prompt-caching、cascade pool 设备隔离、tier modal 文案修复等合一打包。 PR #80 (@ZLin98) 安全加固——三件事进主线: - LS env allowlist:buildLanguageServerEnv 只白名单 HOME / PATH / LANG / TMPDIR / HTTP(S)_PROXY / SSL trust 八类,AWS / GitHub / CI secret 不再泄漏给 LS 子进程。proxy override 与 /root HOME fallback 原行为保留。 - 跨平台 workspace 重置:execSync('mkdir -p /tmp/... && rm -rf') 改 Node fs,Windows 不再因为缺 POSIX shell 启动失败。base 从硬编码 /tmp/ 改为 os.tmpdir() 派生。 - Dashboard auth 收紧:移除 ?pwd= query string fallback。logs/stream 早就从 EventSource 迁到 fetch + ReadableStream,query 路径已无客户端 在用,留着只会让 password 进 access log 与浏览器历史。 #80 其余 6 项(HOST 默认 127.0.0.1 + ensurePublicAuth、feature flag 默认全关、getAccountList 默认不返 apiKey、sessionStorage 替换、 FORWARD_CALLER_ENV opt-in、scripts/start.js launcher)都是行为变化或 UX 倒退,没并是怕一次破坏现有 docker / dashboard 部署,但思路完全 合理,未来按需逐项推进。 Credits 面板补三位贡献者(src/dashboard/data/contributors.json 单一数据源,默认 + sketch 两套 dashboard 同时显示): - ZLin98 #80 — A 级,安全加固先行者 - Yuuqq #73 — B+ 级,Windows 兼容性首位实测人(sanitize URL、 OPTIONS 204、pool regex escape 三处摘进 44ad502) - abwuge #65 — A 级,GHCR + GitHub Release 自动发布流水线 (v2.0.6+ 发版链路就是他这条 workflow) 测试: 4 条新增 buildLanguageServerEnv 用例 (allowlist enforcement / proxy override / HOME fallback / SSL trust pass-through),合 237/237 全过。 Co-authored-by: ZLin98 <ZLin98@users.noreply.github.com>
huanchen
pushed a commit
to huanchen/WindsurfAPI
that referenced
this pull request
May 3, 2026
Tag 推送 v* 时自动构建 Docker 镜像推 GHCR + 创建 GitHub Release(RELEASE_NOTES_x.y.z.md 自动当 body,含 - 自动 prerelease)。docker-compose 改为拉预构建镜像,省去用户本地 build。 镜像名大小写细节将在 follow-up 提交里收尾。 感谢 @abwuge
huanchen
pushed a commit
to huanchen/WindsurfAPI
that referenced
this pull request
May 3, 2026
…tion
- workflow 推到 `ghcr.io/dwgx/windsurf-api`(之前 `${{ github.repository }}` lowercase
后是 `windsurfapi` 没有横杠,跟 docker-compose 期望的 `windsurf-api` 不匹配,
merge 后会直接 image-not-found)
- docker-compose 把 `build:` 块加回去,跟 `image:` 并排:拉镜像的用户照常拉,
本地开发改代码迭代用 `docker compose up --build` 自构建,两边都不丢
follow-up to dwgx#65 / @abwuge
huanchen
pushed a commit
to huanchen/WindsurfAPI
that referenced
this pull request
May 3, 2026
把之前关掉但没合的几个外部 PR 里方向干净的 hunk 单独 cherry-pick 进 主线,作者署名通过 Co-authored-by trailer 保留;顺带把 v2.0.11 之后 陆续落主线的 Anthropic prompt-caching、cascade pool 设备隔离、tier modal 文案修复等合一打包。 PR dwgx#80 (@ZLin98) 安全加固——三件事进主线: - LS env allowlist:buildLanguageServerEnv 只白名单 HOME / PATH / LANG / TMPDIR / HTTP(S)_PROXY / SSL trust 八类,AWS / GitHub / CI secret 不再泄漏给 LS 子进程。proxy override 与 /root HOME fallback 原行为保留。 - 跨平台 workspace 重置:execSync('mkdir -p /tmp/... && rm -rf') 改 Node fs,Windows 不再因为缺 POSIX shell 启动失败。base 从硬编码 /tmp/ 改为 os.tmpdir() 派生。 - Dashboard auth 收紧:移除 ?pwd= query string fallback。logs/stream 早就从 EventSource 迁到 fetch + ReadableStream,query 路径已无客户端 在用,留着只会让 password 进 access log 与浏览器历史。 dwgx#80 其余 6 项(HOST 默认 127.0.0.1 + ensurePublicAuth、feature flag 默认全关、getAccountList 默认不返 apiKey、sessionStorage 替换、 FORWARD_CALLER_ENV opt-in、scripts/start.js launcher)都是行为变化或 UX 倒退,没并是怕一次破坏现有 docker / dashboard 部署,但思路完全 合理,未来按需逐项推进。 Credits 面板补三位贡献者(src/dashboard/data/contributors.json 单一数据源,默认 + sketch 两套 dashboard 同时显示): - ZLin98 dwgx#80 — A 级,安全加固先行者 - Yuuqq dwgx#73 — B+ 级,Windows 兼容性首位实测人(sanitize URL、 OPTIONS 204、pool regex escape 三处摘进 041d139) - abwuge dwgx#65 — A 级,GHCR + GitHub Release 自动发布流水线 (v2.0.6+ 发版链路就是他这条 workflow) 测试: 4 条新增 buildLanguageServerEnv 用例 (allowlist enforcement / proxy override / HOME fallback / SSL trust pass-through),合 237/237 全过。 Co-authored-by: ZLin98 <ZLin98@users.noreply.github.com>
dwgx
pushed a commit
that referenced
this pull request
May 9, 2026
Tag 推送 v* 时自动构建 Docker 镜像推 GHCR + 创建 GitHub Release(RELEASE_NOTES_x.y.z.md 自动当 body,含 - 自动 prerelease)。docker-compose 改为拉预构建镜像,省去用户本地 build。 镜像名大小写细节将在 follow-up 提交里收尾。 感谢 @abwuge
dwgx
added a commit
that referenced
this pull request
May 9, 2026
…tion
- workflow 推到 `ghcr.io/dwgx/windsurf-api`(之前 `${{ github.repository }}` lowercase
后是 `windsurfapi` 没有横杠,跟 docker-compose 期望的 `windsurf-api` 不匹配,
merge 后会直接 image-not-found)
- docker-compose 把 `build:` 块加回去,跟 `image:` 并排:拉镜像的用户照常拉,
本地开发改代码迭代用 `docker compose up --build` 自构建,两边都不丢
follow-up to #65 / @abwuge
dwgx
added a commit
that referenced
this pull request
May 9, 2026
把之前关掉但没合的几个外部 PR 里方向干净的 hunk 单独 cherry-pick 进 主线,作者署名通过 Co-authored-by trailer 保留;顺带把 v2.0.11 之后 陆续落主线的 Anthropic prompt-caching、cascade pool 设备隔离、tier modal 文案修复等合一打包。 PR #80 (@ZLin98) 安全加固——三件事进主线: - LS env allowlist:buildLanguageServerEnv 只白名单 HOME / PATH / LANG / TMPDIR / HTTP(S)_PROXY / SSL trust 八类,AWS / GitHub / CI secret 不再泄漏给 LS 子进程。proxy override 与 /root HOME fallback 原行为保留。 - 跨平台 workspace 重置:execSync('mkdir -p /tmp/... && rm -rf') 改 Node fs,Windows 不再因为缺 POSIX shell 启动失败。base 从硬编码 /tmp/ 改为 os.tmpdir() 派生。 - Dashboard auth 收紧:移除 ?pwd= query string fallback。logs/stream 早就从 EventSource 迁到 fetch + ReadableStream,query 路径已无客户端 在用,留着只会让 password 进 access log 与浏览器历史。 #80 其余 6 项(HOST 默认 127.0.0.1 + ensurePublicAuth、feature flag 默认全关、getAccountList 默认不返 apiKey、sessionStorage 替换、 FORWARD_CALLER_ENV opt-in、scripts/start.js launcher)都是行为变化或 UX 倒退,没并是怕一次破坏现有 docker / dashboard 部署,但思路完全 合理,未来按需逐项推进。 Credits 面板补三位贡献者(src/dashboard/data/contributors.json 单一数据源,默认 + sketch 两套 dashboard 同时显示): - ZLin98 #80 — A 级,安全加固先行者 - Yuuqq #73 — B+ 级,Windows 兼容性首位实测人(sanitize URL、 OPTIONS 204、pool regex escape 三处摘进 44ad502) - abwuge #65 — A 级,GHCR + GitHub Release 自动发布流水线 (v2.0.6+ 发版链路就是他这条 workflow) 测试: 4 条新增 buildLanguageServerEnv 用例 (allowlist enforcement / proxy override / HOME fallback / SSL trust pass-through),合 237/237 全过。 Co-authored-by: ZLin98 <ZLin98@users.noreply.github.com>
dwgx
pushed a commit
that referenced
this pull request
Jun 4, 2026
Tag 推送 v* 时自动构建 Docker 镜像推 GHCR + 创建 GitHub Release(RELEASE_NOTES_x.y.z.md 自动当 body,含 - 自动 prerelease)。docker-compose 改为拉预构建镜像,省去用户本地 build。 镜像名大小写细节将在 follow-up 提交里收尾。 感谢 @abwuge
dwgx
added a commit
that referenced
this pull request
Jun 4, 2026
…tion
- workflow 推到 `ghcr.io/dwgx/windsurf-api`(之前 `${{ github.repository }}` lowercase
后是 `windsurfapi` 没有横杠,跟 docker-compose 期望的 `windsurf-api` 不匹配,
merge 后会直接 image-not-found)
- docker-compose 把 `build:` 块加回去,跟 `image:` 并排:拉镜像的用户照常拉,
本地开发改代码迭代用 `docker compose up --build` 自构建,两边都不丢
follow-up to #65 / @abwuge
dwgx
added a commit
that referenced
this pull request
Jun 4, 2026
把之前关掉但没合的几个外部 PR 里方向干净的 hunk 单独 cherry-pick 进 主线,作者署名通过 Co-authored-by trailer 保留;顺带把 v2.0.11 之后 陆续落主线的 Anthropic prompt-caching、cascade pool 设备隔离、tier modal 文案修复等合一打包。 PR #80 (@ZLin98) 安全加固——三件事进主线: - LS env allowlist:buildLanguageServerEnv 只白名单 HOME / PATH / LANG / TMPDIR / HTTP(S)_PROXY / SSL trust 八类,AWS / GitHub / CI secret 不再泄漏给 LS 子进程。proxy override 与 /root HOME fallback 原行为保留。 - 跨平台 workspace 重置:execSync('mkdir -p /tmp/... && rm -rf') 改 Node fs,Windows 不再因为缺 POSIX shell 启动失败。base 从硬编码 /tmp/ 改为 os.tmpdir() 派生。 - Dashboard auth 收紧:移除 ?pwd= query string fallback。logs/stream 早就从 EventSource 迁到 fetch + ReadableStream,query 路径已无客户端 在用,留着只会让 password 进 access log 与浏览器历史。 #80 其余 6 项(HOST 默认 127.0.0.1 + ensurePublicAuth、feature flag 默认全关、getAccountList 默认不返 apiKey、sessionStorage 替换、 FORWARD_CALLER_ENV opt-in、scripts/start.js launcher)都是行为变化或 UX 倒退,没并是怕一次破坏现有 docker / dashboard 部署,但思路完全 合理,未来按需逐项推进。 Credits 面板补三位贡献者(src/dashboard/data/contributors.json 单一数据源,默认 + sketch 两套 dashboard 同时显示): - ZLin98 #80 — A 级,安全加固先行者 - Yuuqq #73 — B+ 级,Windows 兼容性首位实测人(sanitize URL、 OPTIONS 204、pool regex escape 三处摘进 5a4eae9) - abwuge #65 — A 级,GHCR + GitHub Release 自动发布流水线 (v2.0.6+ 发版链路就是他这条 workflow) 测试: 4 条新增 buildLanguageServerEnv 用例 (allowlist enforcement / proxy override / HOME fallback / SSL trust pass-through),合 237/237 全过。 Co-authored-by: ZLin98 <ZLin98@users.noreply.github.com>
dwgx
added a commit
that referenced
this pull request
Jun 4, 2026
把之前关掉但没合的几个外部 PR 里方向干净的 hunk 单独 cherry-pick 进 主线,作者署名通过 Co-authored-by trailer 保留;顺带把 v2.0.11 之后 陆续落主线的 Anthropic prompt-caching、cascade pool 设备隔离、tier modal 文案修复等合一打包。 PR #80 (@ZLin98) 安全加固——三件事进主线: - LS env allowlist:buildLanguageServerEnv 只白名单 HOME / PATH / LANG / TMPDIR / HTTP(S)_PROXY / SSL trust 八类,AWS / GitHub / CI secret 不再泄漏给 LS 子进程。proxy override 与 /root HOME fallback 原行为保留。 - 跨平台 workspace 重置:execSync('mkdir -p /tmp/... && rm -rf') 改 Node fs,Windows 不再因为缺 POSIX shell 启动失败。base 从硬编码 /tmp/ 改为 os.tmpdir() 派生。 - Dashboard auth 收紧:移除 ?pwd= query string fallback。logs/stream 早就从 EventSource 迁到 fetch + ReadableStream,query 路径已无客户端 在用,留着只会让 password 进 access log 与浏览器历史。 #80 其余 6 项(HOST 默认 127.0.0.1 + ensurePublicAuth、feature flag 默认全关、getAccountList 默认不返 apiKey、sessionStorage 替换、 FORWARD_CALLER_ENV opt-in、scripts/start.js launcher)都是行为变化或 UX 倒退,没并是怕一次破坏现有 docker / dashboard 部署,但思路完全 合理,未来按需逐项推进。 Credits 面板补三位贡献者(src/dashboard/data/contributors.json 单一数据源,默认 + sketch 两套 dashboard 同时显示): - ZLin98 #80 — A 级,安全加固先行者 - Yuuqq #73 — B+ 级,Windows 兼容性首位实测人(sanitize URL、 OPTIONS 204、pool regex escape 三处摘进 5a4eae9) - abwuge #65 — A 级,GHCR + GitHub Release 自动发布流水线 (v2.0.6+ 发版链路就是他这条 workflow) 测试: 4 条新增 buildLanguageServerEnv 用例 (allowlist enforcement / proxy override / HOME fallback / SSL trust pass-through),合 237/237 全过。 Co-authored-by: ZLin98 <ZLin98@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
改了什么 / What changed
新增
.github/workflows/release.yml,仅在推送v*tag 时触发,自动完成两件事:linux/amd64镜像并推送到 GHCR (ghcr.io)同时将
docker-compose.yml从本地构建 (build:) 改为拉取预构建镜像 (image: ghcr.io/dwgx/windsurf-api:latest),用户无需 clone 代码即可部署。为什么 / Why
docker compose build,改为直接docker pull更方便我有强迫症,用了docker 就不想下载源码,作者按需合并吧测试 / Testing
vtesttag 触发 workflow,两个 job 均成功通过ghcr.io/abwuge/windsurf-api:latest)vtesttag 和对应 Release发版流程
RELEASE_NOTES_2.0.7.md→ 自动作为 Release body-,例如-alpha/-beta/-rc→ 自动标记为 Pre-releaseChecklist